Petya: Ransomware or Other Cyber Attack? Advice for ForeScout customers.

The Petya (a.k.a. NotPetya/ExPetr) ransomware campaign is causing disruption to organizations and critical infrastructure around the globe. Similar to the May WannaCry outbreak, it impacts Windows systems and a successful infection results in encrypting the contents of the hard disk. However, unlike “traditional” ransomware attacks, this attack appears to encrypt files without the ability to decrypt them later. Therefore, successful attacks may result in effectively wiping the encrypted files, with backups being the only definitive data recovery method.

Threat research organizations have confirmed that the initial infection vector for the ransomware was via a compromised software update of the MeDoc financial package, which is popular in certain geographies and sectors. Once the initial system is infected, propagation methods include the ETERNALBLUE exploit that targets a vulnerability in the SMBv1 protocol (Microsoft Security Bulletin MS17-010) and was also used in the WannaCry ransomware.

Guidance for ForeScout customers
Patches for the SMBv1 vulnerability used by both WannaCry and Petya were issued for Windows versions in March and May 2017.

ForeScout recommends the following best practices for ForeScout CounterACT customers:

Customers should ensure that they have updated their CounterACT deployments to the latest HPS Vulnerability Database (version 17.0.5) that was released on June 22, 2017. Customers that use the best practice “Windows update compliance” or equivalent policy to detect and patch non-compliant endpoints are protecting their Windows endpoints from vulnerabilities exploited by the Petya ransomware.

ForeScout customers can also use the ETERNALBLUE breakdown policy (Security Policy Templates 17.0.6) to detect Windows systems in your network which are vulnerable to the MS17-010 vulnerability.

Customers can protect vulnerable systems by applying the recent Microsoft patch relevant to the appropriate Windows operating system variant. CounterACT can help automate the process to isolate vulnerable systems on the network, place them in a remediation zone and initiate the remediation/patching process.

ForeScout customers should ensure that their Windows endpoints have updated anti-virus signature databases to protect them from any malware variants. CounterACT policies can automate the process to help ensure that anti-virus engines are installed, running and up-to-date on your Windows endpoints.

Finally, customers can “vaccinate” Windows endpoints by making them pose as systems already infected by Petya. The “antidote” in this case is to create a read-only file named C:\Windows\perfc. A policy template to assist customers to systematically apply the vaccination to all corporate Windows endpoints is included in “Security Policy Templates 17.0.6”.

ForeScout will continue monitoring the threat landscape and provide further updates as needed.

Featured Posts

Twitter: @smtaylor12 I was recently fortunate enough to participate in a joint webinar with the CISO for the District of Columbia, John MacMichael and the CISO for the City of New York, Geoff Brown. We had close to 100 attendees and the hour-long session spanned topics like: Smart city projects currently underway Constituent-consumed services (such […]

Twitter: @KzmoKramr2 Visibility is foundational to cybersecurity. After all, you can’t secure what you can’t see. Therefore, it’s understandable that, these days, many cybersecurity companies claim to provide “visibility.” A problem for those shopping for cyber tools is that many “cyber solutions” can sound the same. How are you supposed to truly distinguish what’s what […]

Twitter: @GoGeisler With the rapid influx and diversity of devices connecting to enterprise networks and the ever-evolving cybersecurity threat landscape, organizations are struggling to keep their physical and virtual environments secure while embracing IoT and operational technology (OT). To help organizations tackle these challenges, ForeScout CounterACT® now features new advancements, including out-of-the- box device classification […]